Search

Breadcrumb

A closer look at the new executive order on federal cybersecurity

Bill Brennan is Senior Director of Cyber Business Enablement at Leidos.

The Trump White House recently issued its highly-anticipated executive order regarding cyber defense capability in the United States. The order builds on President Obama’s EO 13636, which created much of the risk-based cyber framework artifacts U.S. critical infrastructure uses today. While originally intended to focus only on commercial elements key to U.S. interests, these concepts of cyber risk management are now expanding to apply to all elements of the executive branch.

The new order looks to progress an understanding of the cyber defense posture of the federal government as well as U.S. critical national infrastructure. Agency heads have had to submit assessments of system security ever since the Federal Information Security Management Act of 2002, or FISMA. Expanding upon that concept, the new executive order assigns agency heads accountability for managing cyber risk within their entire organization. Agency leaders have 90 days from the issuance of the executive order to provide the Secretary of Homeland Security and Director of the Office of Management and Budget (OMB) with their current assessment of agency cyber risk. That report must include plans to bring cyber risk down to acceptable levels, commensurate with an associated cost/impact analysis. As the agencies complete their internal analyses, there are a number of other directives from the executive order for them to consider.

Quantifying Cyber Risk

Understanding an organization’s cyber risk requires knowing the purpose of the organization and how it uses technology to achieve that goal. Once understood, an analysis of the vulnerability to the confidentiality, integrity or availability of those information systems can be completed. Cyber risk exists between the existing vulnerability protections and the appraisal of those protections against an ever-changing threat landscape. The critical starting point for all organizations is ensuring that their cyber hygiene is in order. Specifically called out in the executive order (under section 1 (b)(iv)), known but unmitigated vulnerabilities are identified as among the highest risks to government IT systems. The recent "WannaCry" cyber incident is a great example of how a proactive modernization and active patch management program can limit the impact of attacks using known vulnerabilities.1

Supporting the quantification of risk and continuity in the assessments, agencies are directed to utilize the NIST Cyber Risk Framework (the "Framework"). First released in 2014 in response to EO 13636, the Framework provides cyber risk management guidance for U.S. critical national infrastructure. The tools help provide specific sectors the ability to quantify risk in a way that is meaningful in a cross-sector way, as noted in the 2015 FSSCC report. The Framework relies on five core functions that, when used in concert, provide an organization the best ability to manage their cyber risk. These functions are not a checklist or an exercise in compliance, but a set of best practices divided by categories for implementation.

The functions, described in the graphic below, are designed to be performed all at once and are free of dependencies on each other. That said, there is significant benefit derived when each of the tions is used to inform enhancements in the others.

Uniquely, this Framework supports the alignment of organization objectives to cyber defense investments. The current draft 1.1 standard, which is available for public comment, takes this even further by recognizing the value of metrics and measurements when it comes to determining return on investment. Risk, by nature, exists in a continuum and is never absolute. You cannot buy yourself absolute safety from cyberattacks. However, by utilizing an effective measures program, focused on an organization’s unique characteristics, CISOs are able to effectively measure risk management. A cyber executive's ability to show cause-and-effect relationships between investment and positive outcomes builds political capital with decision makers. Quantitative measures have long been desired amongst cyber defense professionals. As more organizations implement Framework-based measures with leading and lagging metrics, the community itself will continue to grow in this critical area. In the meantime, the OMB issued guidance in 2016 on how to complete a crosswalk between FISMA reporting and the Framework.

A preference for implementing a shared services model is one of the more interesting elements of the executive order. The goals outlined in Section 1, subsection (c)(vi)(A-C) direct a preference in procurement for shared IT services. This includes everything from email to cloud and cybersecurity services. The specific focus is to create a more modern, secure, and resilient IT architecture in the executive branch. Furthermore, it instructs the director of the newly created American Technology Council to coordinate with DHS, OMB, and GSA to submit a report on how to modernize federal IT. The report must outline the effects of transitioning all agencies or a subset to a shared IT service infrastructure, which represents a massive departure from how federal IT operates today.

The concept of creating a government-wide shared IT services capability is not new. The governments of some of the United States’ closest allies have taken similar steps with varied results. A first mover in 2011, Shared Services Canada (SSC) was created with a mandate to consolidate telecommunications, computing and email infrastructure for 43 agencies. Perhaps ahead of its time, the initiative has struggled to achieve many of the same objectives outlined in the new EO. Last assessed in 2015, SSC was found to be behind on its transformation goals and inconsistently managing the security objectives it was set out to support. Yet, the lessons learned from this endeavor can be integrated into the United States’ implementation of similar concepts.

Joint partners since 2014, Leidos Australia is working alongside the Australian Chief Information Office Group (CIOG) to complete a project called "Centralised Processing." Once completed, this project will combine 280 legacy data centers into 12 in Australia and three internationally. The cost savings and consolidation benefits will help the Australian government operate a more secure, resilient, and integrated network for the Australian Department of Defence. These successful projects can provide a blueprint for the U.S. government as it considers consolidation efforts.

Preference for shared services

A preference for implementing a shared services model is one of the more interesting elements of the executive order. The goals outlined in Section 1, subsection (c)(vi)(A-C) direct a preference in procurement for shared IT services. This includes everything from email to cloud and cybersecurity services. The specific focus is to create a more modern, secure, and resilient IT architecture in the executive branch. Furthermore, it instructs the director of the newly created American Technology Council to coordinate with DHS, OMB, and GSA to submit a report on how to modernize federal IT. The report must outline the effects of transitioning all agencies or a subset to a shared IT service infrastructure, which represents a massive departure from how federal IT operates today.

The concept of creating a government-wide shared IT services capability is not new. The governments of some of the United States’ closest allies have taken similar steps with varied results. A first mover in 2011, Shared Services Canada (SSC) was created with a mandate to consolidate telecommunications, computing and email infrastructure for 43 agencies. Perhaps ahead of its time, the initiative has struggled to achieve many of the same objectives outlined in the new EO. Last assessed in 2015, SSC was found to be behind on its transformation goals and inconsistently managing the security objectives it was set out to support. Yet, the lessons learned from this endeavor can be integrated into the United States’ implementation of similar concepts.

Joint partners since 2014, Leidos Australia is working alongside the Australian Chief Information Office Group (CIOG) to complete a project called "Centralised Processing." Once completed, this project will combine 280 legacy data centers into 12 in Australia and three internationally. The cost savings and consolidation benefits will help the Australian government operate a more secure, resilient, and integrated network for the Australian Department of Defence. These successful projects can provide a blueprint for the U.S. government as it considers consolidation efforts.

Collaboration and workforce development

International cooperation is addressed in Section 3 (C) with a specific focus on partners. The executive order directs that a report be submitted to the president outlining many agencies’ priorities for cyber collaboration. Topics for the report include cyber investigation, attribution, threat information sharing, and capacity building. The U.S. already enjoys excellent working relationships with Interpol/Europol in the area of cybercrime and has formal collaboration arrangements with Israel, the U.K., and Australia, among others, and through existing defense partnerships such as NATO. This report will examine the alignment of agency priorities to these existing partnerships and document an engagement strategy for the future.

Workforce development was also covered as part of the executive order. Currently, the U.S. workforce presents both the biggest opportunity and the biggest risk to increasing cyber resiliency in the country. The executive order directs that reports be created on the sufficiency of efforts to educate and train an American cyber workforce. This includes everything from early primary school STEM instruction all the way through to university education. Additionally, it directs the Director of National Intelligence to provide reports on the efforts of foreign cyber peers to tackle these challenges.

Where Leidos fits in

Developing the cyber workforce of the future is something Leidos works passionately at each day. From helping advance STEM education to supporting the 2017 Cyber Challenge season with the CyberNEXS platform, we're at the forefront of shaping the future. As the largest provider of IT services to the U.S. government, Leidos is uniquely positioned to support federal agencies in the implementation of this executive order. From large enterprise transformation to providing government-certified cloud or share services to federal cyber solutions, we're a one-stop shop with an established track record.

About the author

In this role, he uses his 15 years of experience in cybersecurity to protect Leidos Corporation and support the cyber goals of clients around the world. When not on a plane, most of his time is spent coaching his son’s sports teams or enjoying a rare quiet moment on the back porch with his wife.